CVE-2025-48086: 
WordPress vulnerability analysis and mitigation

The CVE-2025-48086 is a Deserialization of Untrusted Data vulnerability discovered in wpdreams Ajax Search Lite WordPress plugin versions through 4.13.3. The vulnerability was disclosed on October 21, 2025, and allows for PHP Object Injection in the plugin (Patchstack VDP).

The vulnerability has been assigned a CVSS score of 5.5, indicating a moderate severity level. It is classified under the OWASP Top 10 category A3: Injection. The vulnerability requires administrator-level privileges to exploit and involves PHP Object Injection, which could potentially lead to code injection, SQL injection, path traversal, or denial of service if a proper POP chain is present (Patchstack VDP).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. If successfully exploited, it could potentially allow malicious actors to execute various types of attacks including code injection, SQL injection, path traversal, and denial of service attacks, contingent upon the presence of a proper POP chain (Patchstack VDP).

The vulnerability has been patched in version 4.13.4 of the Ajax Search Lite plugin. Users are advised to update to version 4.13.4 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack VDP).